this post was submitted on 08 Jul 2023
2 points (75.0% liked)

Cybersecurity

75 readers
4 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 1 year ago
MODERATORS
 

(article linked from m/Android)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

The same was said about social security numbers until SSNs started becoming a primary key to every-fucking-thing which can cross-reference records in countless databases not even associated to the social security office.

Of course SSIDs are sensitive when the context is that they point to where you’ve been & then associate that to where you are right now in realtime; which is then shared with the centralized DB of a surveillance capitalist. When they are coupled to MAC addresses. When snooping cars drive around and record physical locations which are then tied to SSIDs and MAC addresses.

And what if your SSID is “impeach Trump again”, which then pins you to a political leaning that can be exploited in Cambridge Analytica style attacks on democracy? Logs that your phone attempts to connect to that SSID then associates your phone to that.

[–] B16_BR0TH3R 2 points 1 year ago* (last edited 1 year ago) (1 children)

None of that actually matters, because it's the users themselves that have chosen to use WiFi and to broadcast the SSID. If I published my dick picks on the web and then went around naked then you could conceivably correlate the dick pic to my person and my current location. But you wouldn't be breaching my privacy in doing so.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

When you say “breach”, this implies legal noncompliance which depends on where you are. In Europe the data collection you describe would be a breach. In the US, it’d be a lawful attack on your privacy.

Is location sensitive?

Of course your timestamped realtime location history is sensitive information. If you think having your realtime whereabouts tracked doesn’t matter then you most likely have little interest in privacy in the first place¹. In which case I’d say fair enough, but then what are you doing in the cybersecurity magazine?

Boycotts are a thing, not just privacy

Some of us boycott surveillance capitalists (#GAFAM). There’s a lot of data that we might not give a shit if they collected in the absence of our boycott (though not location tracking- that’s sensitive anyway). Boycotting does not just mean not paying them. It means not recklessly disclosing profitable data to them. In principle I don’t give a shit if Microsoft records my favourite color. But if MS figures out how to profit from that info in some way, then I’m interested in witholding it from MS. And indeed that’s still a privacy matter nontheless because #privacy is about control.

footnotes (TL;DR: why location history is sensitive info)

  1. Further elaboration: Everyone decides for themselves what info is sensitive to their operations which then serves as input to the threat model. It’s not for you to speak for everyone in saying “info X is not sensitive”. Some people who live quite simple lives may not regard time and location history as sensitive, but this flies in the face of those who deem it sensitive. You should first consider the obvious cases which trivially disprove your claim: Bin Ladin, Edward Snowden, anyone wanted by law enforcement. But to be clear, you need not be high profile or even be a refugee/undocumented immigrant for realtime location to matter. Someone might be an abortion client whose location was recorded in the parking lot of an abortion clinic in a state that has banned it. Someone’s location might be that of where their extramarital affair takes place. There are countless examples. Let me know if you need more.

(edit)
Know your audience

I fixated on your #falseAnalogy fallacy and overlooked this:

because it’s the users themselves that have chosen to use WiFi and to broadcast the SSID

Even if you do not broadcast your #SSID it’s still publicly available. It’s in that air traffic Google was caught overcollecting. If someone chooses to hide their SSID, you could say that’s an expression of intent & collection of that data is thus a breach. Even in the US, if someone uses a weak WEP they still at least get legal protections from intrusions. Generally, legal protections in the US kick in when expression of intent or authority is disclosed.

Most importantly, you’ve missed the thesis. The article is not for those who are happy to disclose their SSID & all the associated tracking of their phone then searching for that SSID wherever they are. The article is for those who specifically opt not to disclose. You are using the intent of audience A to falsely imply intentions of audience B. Audience A would have skipped this article just based on the title alone.

[–] B16_BR0TH3R 1 points 1 year ago (1 children)

Please explain how the data collection I described would be a breach of privacy in Europe or anywhere else. What rule or statute would it not be compliant with?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

First of all, the answer to that wouldn’t matter because the article is about privacy protection not law enforcement. But to answer the question, collecting personal info about people without their express consent in Europe violates the #GDPR.

The GDPR makes some exceptions for cases where info can be collected on people nonconsentually (e.g. public health systems, law enforcement, scientific research), but your scenario does not match any legal exception. At best, you would have to make your activity part of a scientfiic study. And you wouldn’t get away with simply claiming it’s for science. You would have to make a convincing case that the study is for signficant public benefit.

[–] B16_BR0TH3R 1 points 1 year ago (1 children)

No, SSIDs are obviously public (since you're transmitting them to outside your own house) and would come under the GDPR provisions for collecting publically available information. You may need to inform me that you've collected my data, but that's all.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

There is no GDPR provision for collecting publicly available information that is personal w.r.t. individuals. You can only collect public info if it cannot be tied to an individual. For example, if a car is illegally parked and you photograph it and post it online, you must blur the license plate. It doesn’t matter that the image was in the public.

But again, this whole subthread is a #redHerring because the article is for those who actually intend to keep their sensitive info out of public view, not the others for whome the topic is irrelevant.

[–] B16_BR0TH3R 1 points 1 year ago (1 children)

Call it a red herring if you like, I'm just curious to see your rationale for claiming that others can't legally collect the information that I've willingly broadcasted to all and sundry. I can't say that I understand the rationale yet. I agree with your last example that I would need to obscure the license plate if I published a picture of your car on a public street, but the example doesn't seem to cover the actual case. A better example might be that you were shouting your license plate number out to a crowded street. Would I then be prevented from writing down (collecting) the number that you were shouting?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

A better example might be that you were shouting your license plate number out to a crowded street. Would I then be prevented from writing down (collecting) the number that you were shouting?

How would you comply with article 13? Would you walk over to me and give me your contact details as required by ¶1(a), the purpose of your collection ¶1(c), the length of time you will keep the data ¶2.(a), and also informing me of my right to erasure ¶2(c)?

What if I shouted my plate number from a moving car & you were only able to write it down before I was gone? How are you going to comply with article 13? Are you going to get in a faster car & chase me down to shout back all that information about you as a data controller?

Also, which article 6¶1 rationale do you think makes your collection lawful?

Google & Apple may or may not have the contact details of those whose WiFi data they collect but I certainly have never received an article 13 compliant notice from Google or Apple (neither of whom I have contracts with).